1

I'm currently having issues with my pipeline since is passing but at the time of trying to run my helm chart into my private AKS Cluster I'm getting the following issue:

command started at 2022-10-26 21:31:42+00:00, finished at 2022-10-26 21:31:43+00:00 with exitcode=1
Error: list: failed to list: secrets is forbidden: User "user-id" cannot list resource "secrets" in API group "" in the namespace "default"

This my current steps from my pipeline:

trigger:
- dev

pool:
  vmImage: ubuntu-latest

steps:
- task: HelmInstaller@0
  inputs:
    helmVersion: '3.9.1'
    installKubectl: true
  
- task: AzureCLI@2
  inputs:
    azureSubscription: '[azure-subscription]'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: 'az account show'

- task: AzureCLI@2
  inputs:
    azureSubscription: '[azure-subscription]'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az account set --subscription $(AzureSubscription)
      az aks get-credentials --resource-group [name] --name [cluster-name]

- task: Bash@3
  displayName: 'Git configuration'
  inputs:
    targetType: 'inline'
    script: |
      git config --global user.name "[username]"
      git config --global user.email "[email]"
     

- task: Bash@3
  displayName: 'Git clone'
  inputs:
    targetType: 'inline'
    script: |
      git clone https://$(user):$(Password)@dev.azure.com/test/project/_git/project01
- task: Bash@3
  displayName: 'Get into the right folder'
  inputs:
    targetType: 'inline'
    script: |
      cd project01
      cd helm
      cd project

- task: HelmDeploy@0
  inputs:
    connectionType: 'Azure Resource Manager'
    azureSubscription: '[azure-subscription]'
    azureResourceGroup: '[resource-name]'
    kubernetesCluster: '[cluster-name]'
    useClusterAdmin: true
    command: 'login'

- task: AzureCLI@2
  inputs:
    azureSubscription: '[azure-subscription]'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az aks command invoke --resource-group [name] --name [cluster-name] --command "helm ls"
      



- script: |
    echo Add other tasks to build, test, and deploy your project.
    echo See https://aka.ms/yaml
  displayName: 'Run a multi-line script'

Azure DevOps show it as completed but when you check the last command:

 az aks command invoke --resource-group [name] --name [cluster-name] --command "helm ls"

The output of this is the following:

Error: list: failed to list: secrets is forbidden: User "user-id" cannot list resource "secrets" in API group "" in the namespace "default"

I checked my service principal from azure and I was able to updated and everything is fine there but I'm not sure what could be missing to be able to run my command without having any errors with my deployment. I also try to do the same steps manually and I successfully were able to do that. The problem is within Azure DevOps. My questions in here are:

  • Do we need to do any other configuration to be able to work with a private AKS Cluster?
  • Do we need to have any service principal running on Azure DevOps, even-though is a private cluster?
Hvaandres
  • 755
  • 2
  • 12
  • 39

1 Answers1

1

Can you check if RBAC is enabled on your cluster.

AKS Cluster --> Setting --> Authentication and Authorization.

enter image description here

If yes, you need to create roles and attach role binding to namespace for ADO user to run helm commands. Alternatively, you can create a group in AD and add user to admin group. (not recommended)

iamattiq1991
  • 746
  • 9
  • 11
  • I attached role binding into the namespace but the pipeline is not accepting the changes. I believe it needs its own service connection – Hvaandres Nov 02 '22 at 19:15